A recent security breach at South Korea’s National Information Society Agency (NIA), a key organization specializing in AI and information technology, exposed an admin panel in its system. Source code was leaked from several government agencies managed by NIA, including the Ministry of the Interior and Safety and the Ministry of Foreign Affairs. NIA is an agency responsible for informatization and IT-related business of government departments. According to “Boan News,” the breach included a total of 9 NIA pages exposed to the public, among which were a product admin panel with account information and output channels. This greatly expanded the scope of the security risk.
Recent findings indicate that the port for the admin panel was left open on the firewall, allowing unauthorized external access. An exposed admin panel increases the risk of unauthorized access and brute-force attacks. It also exposes the system to malware injection, DoS/DDoS attacks, and the leakage of sensitive information. Other vulnerabilities in the system may also be targeted. This article explores the severity of exposed admin panels using threat-hunting tools. We will discuss the critical role of continuous monitoring with attack surface management (ASM) solutions and offer practical steps to secure internal servers.
Current Scope of Exposed Admin Panels, Unveiled With Threat-Hunting Tool
The exposed admin panels are often the result of:
- Default settings being left unchanged
- Misconfigured firewalls
- Port forwarding configuration errors
- Skipping VPNs
- Insufficient security awareness among administrators
- Absence of automated scanning tools
- Software or firmware bugs and vulnerabilities
In most cases, ports are opened and left unattended due to human error, whether due to necessity or by mistake. The threat-hunting tool Criminal IP assigns an ‘Admin’ tag to IP addresses associated with admin panels. A search for the tag: “Admin” within Criminal IP’s Asset Search reveals that, as of November 14, there are a total of 2,149,465 exposed admin servers worldwide.
Query: tag: “Admin”
This reveals a surprisingly large number of admin panels exposed to the public. Scrolling further down, you can view the most commonly used protocols and port numbers associated with the ‘Admin’ tag.
As shown in the ‘Top Services’ results, admin panels often have remote access, data management, and file transfer protocols enabled, with ports left open for easier access. However, since these open ports provide entry to sensitive internal servers and data, they pose a significant risk of severe information leaks if exploited. The fact that standard ports (well-known ports) make up over 40% of the open ports suggests that hackers looking for gaps in the admin panel can easily find an attack vector.
Detecting Exposed Admin Panels With Attack Surface Management Solution, Criminal IP ASM
Previously, we looked at how the threat-hunting tool Criminal IP identifies exposed admin panels worldwide using the ‘Admin‘ Tag. Now, we are going to focus on how businesses and public organizations can check if their own admin panels are exposed to the Internet. The root cause of the exposed admin panels is failing to identify and close the open ports. Automated port scanning tools can detect these open ports from the outside, allowing organizations to verify their security configurations and ensure no unnecessary ports are left open.
Criminal IP ASM is a SaaS-based Attack Surface Management (ASM) solution that detects risks across IT assets, including open ports, on a daily basis. It visualizes these risks through an easy-to-read dashboard and detailed reports. The web dashboard provides an overview of automatically detected IT assets and associated risks. Each risk is categorized by 3 priority levels (High, Medium, or Low), so you can quickly focus on what needs immediate response.
By clicking on the Risk section in the dashboard, users are directed to a Risk page. Here, users can check the complete record of the potential risk entry points, including:
- Admin panel leaks
- Database
- Internal server exposures
- Firewall misconfigurations
- API key leaks
- Remote access services
- Other threat components
Each risk entry includes details such as the IT asset involved, response priority, active applications, detection date, and screenshots. By clicking the ‘IP Report‘ or ‘Domain Report‘ button, you can check the details of the IT asset where the risk was discovered and how to take action. The Risk page allows for a filtered search, enabling users to select specific issues with high risk or timeliness exclusively and check for prioritized action methods.
Below is a screen showing a part of an ASM report for a domain with an exposed admin panel.
The domain in question is an admin panel with the ‘admin’ keyword included in the domain. Its internal server was exposed to the public, thereby flagged as having an Internal Server risk. The fact that an internal server was detected externally indicates a high probability of sensitive data or risk being exposed. Therefore, it is classified as High risk. Clicking on ‘How to Fix‘ on the ‘Risk‘ section above or scrolling down to the bottom of the ASM report shows why and how the detected risk should be solved.
As presented in the ‘How to Fix,’ it is important to review DNS records, strengthen firewall rules, and apply security patches to solve internal server exposure problems. A continuous security monitoring system must be established as well, to check if internal server ports are exposed to the Internet.
Preventing Source Code Leaks with Attack Surface Management: Detecting Your Domain on GitHub
Another key point in this incident is the fact that the source codes of the government departments were exposed to the public. Source code leaks are particularly dangerous as they can reveal key information―such as technical know-how or algorithms contained in the code, API keys and passwords. This opens the door for malicious code or backdoors to be inserted into the code. In some cases, source code may be leaked from the domain of companies and organizations published in open-source repositories such as GitHub. Therefore, identifying and promptly reviewing domains with external mentions can help prevent further source code leaks.
Criminal IP ASM comprehensively detects externally exposed servers, internal pages, and important information. Its capability of detecting domains mentioned on GitHub can help mitigate the situation above. Below is a part of the ASM report of a domain mentioned in GitHub repositories.
Even in this case, of course, actionable steps are provided. The disclosure of company assets on GitHub is a security threat that increases the possibility of external access and information leakage. In such case, information must be immediately made private, and continuous monitoring is essential.
Attack Surface Management, Critical for Businesses and Public Institutions
This article covered examples of admin panel disclosure and source code leaks. It also addressed the severity and solutions of internal server exposure, as well as information leakage through threat-hunting tools and attack surface management.
Many security threats stem from common neglected assets and threats. In IT environments at enterprise and organizational levels, in particular, even a single attack can lead to severe consequences. On the contrary, identifying the exposure of major assets can be challenging; which makes it easier to be targeted by attackers. Security threats are constantly evolving, and a one-time vulnerability diagnosis alone cannot cover the full scope. Oftentimes, newly created risks cannot even be recognized.
In conclusion, enterprises and organizations should utilize an Attack Surface Management (ASM) solution to continuously detect and manage the exposure of internal servers, including admin panels. ASM solutions enable real-time identification of system vulnerabilities, minimize risks, and reduce exposure to external attackers. This makes it possible to enhance security more effectively and prevent infringement incidents by systematically managing attack surfaces.
For additional use cases of Criminal IP ASM, refer to Detecting Exposed Cyber Assets: Criminal IP ASM Use Case (2).
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io/)
Related article: